From tuctboh at gmail.com Mon Sep 21 13:40:44 2020 From: tuctboh at gmail.com (Scott Ellentuch) Date: Mon, 21 Sep 2020 13:40:44 -0400 Subject: SASL Auth not working SMTP with STARTTLS/SSL Message-ID: Hi, I'm using sendmail 8.14.4 and Sasl 2.1.23 . Config info # more /etc/sasl2/Sendmail.conf pwcheck_method:saslauthd # egrep -v "^#" /etc/sysconfig/saslauthd SOCKETDIR=/var/run/saslauthd MECH=pam FLAGS=-d # cat /etc/pam.d/smtp #%PAM-1.0 auth include password-auth account include password-auth I'm having an issue when using "AUTH LOGIN" but not in every case. *Port 25: SENDMAIL - 235 2.0.0 OK Authenticated SASLAUTHD - saslauthd[26872] :released accept lock saslauthd[26871] :acquired accept lock saslauthd[26872] :auth success: [user=USER] [service=smtp] [realm=] [mech=pam] saslauthd[26872] :response: OK --- *Port 587: SENDMAIL - 235 2.0.0 OK Authenticated SASLAUTHD - saslauthd[26871] :released accept lock saslauthd[26875] :acquired accept lock saslauthd[26871] :auth success: [user=USER] [service=smtp] [realm=] [mech=pam] saslauthd[26871] :response: OK --- *Port 25 STARTTLS: SENDMAIL (Via openssl s_client -connect) RENEGOTIATING depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = MYSERVERNAME verify return:1 (I HIT RETURN HERE) 535 5.7.0 authentication failed SASLAUTHD- saslauthd[26875] :released accept lock saslauthd[26875] :NULL password received saslauthd[26875] :acquired accept lock --- *Port 465 SENDMAIL - (Via openssl s_client -connect) RENEGOTIATING depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = MYSERVERNAME verify return:1 (I HIT RETURN HERE) 535 5.7.0 authentication failed SASLAUTHD- saslauthd[26875] :released accept lock saslauthd[26874] :acquired accept lock saslauthd[26875] :NULL password received --- *testsaslauthd non existent service - TESTSASLAUTHD - 0: NO "authentication failed" SASLAUTHD- saslauthd[26873] :released accept lock saslauthd[26872] :acquired accept lock saslauthd[26873] :auth failure: [user=USER] [service=nonexistant] [realm=] [mech=pam] [reason=PAM auth error] --- *testsaslauthd smtp service TESTSASLAUTHD - 0: OK "Success." SASLAUTHD - saslauthd[26872] :released accept lock saslauthd[26871] :acquired accept lock saslauthd[26872] :auth success: [user=user] [service=smtp] [realm=] [mech=pam] saslauthd[26872] :response: OK --- I'm not sure why things work fine during plaintext, and then gives ":NULL password received" when it's STARTTLS / SSL. Any pointers to look / tweak / etc? Tnx, Tuc -------------- next part -------------- An HTML attachment was scrubbed... URL: From tuctboh at gmail.com Mon Sep 21 22:17:19 2020 From: tuctboh at gmail.com (Scott Ellentuch) Date: Mon, 21 Sep 2020 22:17:19 -0400 Subject: SASL Auth not working SMTP with STARTTLS/SSL In-Reply-To: References: Message-ID: Hi, So with some more debugging, I'm learning that with my normal password, and variations of it, it continues that RENEGOTIATION and it never sends the actual data to sendmail. Same if I use it in the user field Example passwords that do this: REFQQVNTV09SRA== RE9XSm9uZXM= RGl3YWxp I'm also finding that some passwords (Trying for the heck of it) go straight from "334 UGFzc3dvcmQ6" to "DONE". Just like that, nothing else. Same for going from "334 VXNlcm5hbWU6" to "DONE". Examples of passwords that do this: Q2hlY2tpbmdBY2NvdW50 Q2hhbmdlLm9yZw== Any ideas? Tnx, Tuc On Mon, Sep 21, 2020 at 1:40 PM Scott Ellentuch wrote: > Hi, > > I'm using sendmail 8.14.4 and Sasl 2.1.23 . Config info > > # more /etc/sasl2/Sendmail.conf > > pwcheck_method:saslauthd > > > # egrep -v "^#" /etc/sysconfig/saslauthd > > SOCKETDIR=/var/run/saslauthd > > MECH=pam > > FLAGS=-d > > > # cat /etc/pam.d/smtp > > #%PAM-1.0 > > auth include password-auth > > account include password-auth > > > I'm having an issue when using "AUTH LOGIN" but not in every case. > > > *Port 25: > > SENDMAIL - > > 235 2.0.0 OK Authenticated > > > SASLAUTHD - > > saslauthd[26872] :released accept lock > > saslauthd[26871] :acquired accept lock > > saslauthd[26872] :auth success: [user=USER] [service=smtp] [realm=] > [mech=pam] > > saslauthd[26872] :response: OK > > > --- > > *Port 587: > > SENDMAIL - > > 235 2.0.0 OK Authenticated > > > SASLAUTHD - > > saslauthd[26871] :released accept lock > > saslauthd[26875] :acquired accept lock > > saslauthd[26871] :auth success: [user=USER] [service=smtp] [realm=] > [mech=pam] > > saslauthd[26871] :response: OK > > > --- > > *Port 25 STARTTLS: > > SENDMAIL (Via openssl s_client -connect) > > RENEGOTIATING > > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 > > verify return:1 > > depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > > verify return:1 > > depth=0 CN = MYSERVERNAME > > verify return:1 > > (I HIT RETURN HERE) > > 535 5.7.0 authentication failed > > > SASLAUTHD- > > saslauthd[26875] :released accept lock > > saslauthd[26875] :NULL password received > > saslauthd[26875] :acquired accept lock > > > --- > > *Port 465 > > SENDMAIL - (Via openssl s_client -connect) > > RENEGOTIATING > > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 > > verify return:1 > > depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > > verify return:1 > > depth=0 CN = MYSERVERNAME > > verify return:1 > > (I HIT RETURN HERE) > > 535 5.7.0 authentication failed > > > SASLAUTHD- > > saslauthd[26875] :released accept lock > > saslauthd[26874] :acquired accept lock > > saslauthd[26875] :NULL password received > > > --- > > *testsaslauthd non existent service - > > TESTSASLAUTHD - > > 0: NO "authentication failed" > > > SASLAUTHD- > > saslauthd[26873] :released accept lock > > saslauthd[26872] :acquired accept lock > > saslauthd[26873] :auth failure: [user=USER] [service=nonexistant] [realm=] > [mech=pam] [reason=PAM auth error] > > > --- > > *testsaslauthd smtp service > > TESTSASLAUTHD - > > 0: OK "Success." > > > SASLAUTHD - > > saslauthd[26872] :released accept lock > > saslauthd[26871] :acquired accept lock > > saslauthd[26872] :auth success: [user=user] [service=smtp] [realm=] > [mech=pam] > > saslauthd[26872] :response: OK > > > --- > > > I'm not sure why things work fine during plaintext, and then gives ":NULL > password received" when it's STARTTLS / SSL. > > > Any pointers to look / tweak / etc? > > > Tnx, Tuc > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From quanah at symas.com Tue Sep 22 00:12:12 2020 From: quanah at symas.com (Quanah Gibson-Mount) Date: Mon, 21 Sep 2020 21:12:12 -0700 Subject: SASL Auth not working SMTP with STARTTLS/SSL In-Reply-To: References: Message-ID: <54E272F68FB9E21A4AB1E4C7@[192.168.1.156]> --On Monday, September 21, 2020 2:40 PM -0400 Scott Ellentuch wrote: > I'm using sendmail 8.14.4 and Sasl 2.1.23 .? Config info Cyrus-SASL 2.1.23 released on 4/27/2009, over 11 years ago. You may want to see if the behavior your describing is addressed by any of the years of fixes since then as noted in Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: From tuctboh at gmail.com Tue Sep 22 21:39:46 2020 From: tuctboh at gmail.com (Scott Ellentuch) Date: Tue, 22 Sep 2020 21:39:46 -0400 Subject: SASL Auth not working SMTP with STARTTLS/SSL In-Reply-To: <54E272F68FB9E21A4AB1E4C7@192.168.1.156> References: <54E272F68FB9E21A4AB1E4C7@192.168.1.156> Message-ID: Hi, Thanks for the reply. These were the versions available on the OS I was using (Amazon Linux 1). I decided to move over to CentOS 7, postfix 2.10. dovecot-2.2.36 and cyrus-sasl-lib-2.1.26 . I realize this isn't the absolute latest of everything, but again, the closest I could get with RPMs right now. And, exactly the same behaviour. 25/587 is fine. 25+STARTTLS/465 either RENEGOTIATES SSL or immediately says DONE I also spun up Centos 8 which gave me postfix-3.3.1, dovecot-2.3.8 and cyrus -sasl-lib-2.1.27. And, exactly the same behaviour. 25/587 is fine. 25+STARTTLS/465 either RENEGOTIATES SSL or immediately says DONE I really need to get this going, any thoughts? Tnx, Tuc On Tue, Sep 22, 2020 at 12:12 AM Quanah Gibson-Mount wrote: > > > --On Monday, September 21, 2020 2:40 PM -0400 Scott Ellentuch > wrote: > > > I'm using sendmail 8.14.4 and Sasl 2.1.23 . Config info > > Cyrus-SASL 2.1.23 released on 4/27/2009, over 11 years ago. > > You may want to see if the behavior your describing is addressed by any of > the years of fixes since then as noted in > > > Regards, > Quanah > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tuctboh at gmail.com Wed Sep 23 11:42:26 2020 From: tuctboh at gmail.com (Scott Ellentuch) Date: Wed, 23 Sep 2020 11:42:26 -0400 Subject: SASL Auth not working SMTP with STARTTLS/SSL In-Reply-To: References: <54E272F68FB9E21A4AB1E4C7@192.168.1.156> Message-ID: Hi, This is getting curiouser and curiouser. I decided to outsmart things, and put a stunnel infront of SMTP listening on 465, talking to 25. Genius, huh? Yea, not totally. So I configured it to forward 465 to 25, started my openssl s_client and..... EXACT SAME ISSUES!!! What the bloody heck!? I even changed out the LetsEncrypt cert for a ZeroSSL one, same issue. I'm running libssl.so.1.0.2k with Amazon patches. Not sure where to go at this point.. Tuc On Tue, Sep 22, 2020 at 9:39 PM Scott Ellentuch wrote: > Hi, > > Thanks for the reply. These were the versions available on the OS I was > using (Amazon Linux 1). > > I decided to move over to CentOS 7, postfix 2.10. dovecot-2.2.36 and cyrus-sasl-lib-2.1.26 > . I realize this isn't the absolute latest of everything, but again, the > closest I could get with RPMs right now. > > And, exactly the same behaviour. 25/587 is fine. 25+STARTTLS/465 either > RENEGOTIATES SSL or immediately says DONE > > I also spun up Centos 8 which gave me postfix-3.3.1, dovecot-2.3.8 and > cyrus-sasl-lib-2.1.27. > > And, exactly the same behaviour. 25/587 is fine. 25+STARTTLS/465 either > RENEGOTIATES SSL or immediately says DONE > > I really need to get this going, any thoughts? > > Tnx, Tuc > > > On Tue, Sep 22, 2020 at 12:12 AM Quanah Gibson-Mount > wrote: > >> >> >> --On Monday, September 21, 2020 2:40 PM -0400 Scott Ellentuch >> wrote: >> >> > I'm using sendmail 8.14.4 and Sasl 2.1.23 . Config info >> >> Cyrus-SASL 2.1.23 released on 4/27/2009, over 11 years ago. >> >> You may want to see if the behavior your describing is addressed by any >> of >> the years of fixes since then as noted in >> >> >> Regards, >> Quanah >> >> -- >> >> Quanah Gibson-Mount >> Product Architect >> Symas Corporation >> Packaged, certified, and supported LDAP solutions powered by OpenLDAP: >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From quanah at symas.com Wed Sep 23 14:18:42 2020 From: quanah at symas.com (Quanah Gibson-Mount) Date: Wed, 23 Sep 2020 11:18:42 -0700 Subject: SASL Auth not working SMTP with STARTTLS/SSL In-Reply-To: References: <54E272F68FB9E21A4AB1E4C7@192.168.1.156> Message-ID: <987976FFBE02B3C3510DB2B8@[192.168.1.156]> --On Wednesday, September 23, 2020 12:42 PM -0400 Scott Ellentuch wrote: > > Hi, What is your exact openssl s_client command? I.e., , you didn't list that you used -starttls smtp as an option in your original email. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: From sjp at qad.com Wed Sep 23 14:26:01 2020 From: sjp at qad.com (Sean Phillips) Date: Wed, 23 Sep 2020 14:26:01 -0400 Subject: SASL Auth not working SMTP with STARTTLS/SSL In-Reply-To: <987976FFBE02B3C3510DB2B8@192.168.1.156> References: <54E272F68FB9E21A4AB1E4C7@192.168.1.156> <987976FFBE02B3C3510DB2B8@192.168.1.156> Message-ID: unsubscribe On Wed, Sep 23, 2020 at 2:21 PM Quanah Gibson-Mount wrote: > > > --On Wednesday, September 23, 2020 12:42 PM -0400 Scott Ellentuch > wrote: > > > > > Hi, > > What is your exact openssl s_client command? > > I.e., , you didn't > list that you used -starttls smtp as an option in your original email. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tuctboh at gmail.com Wed Sep 23 14:28:36 2020 From: tuctboh at gmail.com (Scott Ellentuch) Date: Wed, 23 Sep 2020 14:28:36 -0400 Subject: SASL Auth not working SMTP with STARTTLS/SSL In-Reply-To: <987976FFBE02B3C3510DB2B8@192.168.1.156> References: <54E272F68FB9E21A4AB1E4C7@192.168.1.156> <987976FFBE02B3C3510DB2B8@192.168.1.156> Message-ID: Hi, Thanks for replying. I don't know if I should laugh or cry, I've found the issue...... So I didn't use the -starttls because I was going directly to port 465 of the SMTP server (Sendmail, Postfix and Stunnel). Each time, if I used telnet to get to port 25 and test and was fine. As soon as I used openssl things went south. I could do it on 465, I could do it on 25 with the "-starttls smtp" , etc... and it always failed. So it wasn't until I got onto a CentOS 8 system that when I tried, it actually closed with an error message "RENEGOTIATING SSL routines:SSL_renegotiate:wrong ssl version:ssl/ssl_lib.c". I googled and actually found https://noknow.info/it/postfix/solved_ssl_routines_renegotiate . Its apparently a "FEATURE" that if any of your input starts with "R", it'll renegotiate, and apparently "Q" quits. When I finally added "-silent" onto the command line, things worked everywhere. Sorry for spamming.... It's amazing I couldn't find this info sooner. My system is up/running fine on the original setup with the old software. Thanks all for the time! Tuc On Wed, Sep 23, 2020 at 2:18 PM Quanah Gibson-Mount wrote: > > > --On Wednesday, September 23, 2020 12:42 PM -0400 Scott Ellentuch > wrote: > > > > > Hi, > > What is your exact openssl s_client command? > > I.e., , you didn't > list that you used -starttls smtp as an option in your original email. > > Regards, > Quanah > > > -- > > Quanah Gibson-Mount > Product Architect > Symas Corporation > Packaged, certified, and supported LDAP solutions powered by OpenLDAP: > > -------------- next part -------------- An HTML attachment was scrubbed... URL: